<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="frame-src https://localhost:8443">
<script>
    async_test(t => {
        var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
        watcher
            .wait_for('securitypolicyviolation')
            .then(t.step_func(e => {
                assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");
                assert_equals(e.lineNumber, 0, "The script line number shouldn't be reported.");
                t.done();
            }));

        window.onmessage = t.unreached_func('No message should be sent from the frame.');
        window.onload = _ => {
            // The test verifies that Content-Security-Policy from the main frame
            // restricts child frame's location even when the location is changed
            // as a result of a navigation trigerred from within the child frame
            // (which might reside in another renderer process due to --site-per-process).
            var url = "https://localhost:8443/security/contentSecurityPolicy/resources/frame-that-navigates-itself.html";
            var i = document.createElement('iframe');
            i.src = url;
            document.body.appendChild(i);
        };
    }, "The frame's navigation is blocked.");
</script>
